Viktor Dukhovni <postfix-us...@dukhovni.org> schrieb am 05.03.20 um 16:44:14
Uhr:
> On Thu, Mar 05, 2020 at 09:08:43PM +0100, ratatouille wrote:
>
> > Don't know why TLSv1 is still offered on our servers running
>
> Probably because you're not changing the configuration in the right
> place. Double-check that you're configuring the correct Postfix
> instance (if using multiple instances) and that there are no
> master.cf overrides that trump the main.cf settings.
>
> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
> > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
Found out if I want to disable TLSv1.1 too I just have to do so.
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
and suddenly it works ;)
> It is not yet a good idea to disable TLSv1 in SMTP. But if you must
> degrade[1] your SMTP security for some clients to make sure that all the
> check boxes come out green, then the above should be enough, provided it
> is set in the right place. I can confirm that bitclusive.de still
> supports TLSv1:
>
> $ posttls-finger -c -Lsummary -p TLSv1 bitclusive.de
> posttls-finger: Verified TLS connection established to
> smtp.bitclusive.de[2a03:4000:33:430:d423:c2ff:fe3d:b540]:25: TLSv1 with
> cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>
> $ posttls-finger -c -Lsummary -o inet_protocols=ipv4 -p TLSv1
> bitclusive.de
> posttls-finger: Verified TLS connection established to
> smtp.bitclusive.de[92.60.38.182]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA
> (256/256 bits)
>
> Other than test TLS connections, do you still legitimate inbound email
> in your logs (looking over a week or more of logs) delivered with TLSv1?
I have just too TLSv1 connections this month:
...
11 TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)
9 TLSv1.2 with cipher CAMELLIA256-SHA (256/256 bits)
9 TLSv1.2 with cipher CAMELLIA128-SHA (128/128 bits)
9 TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
8 TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
8 TLSv1.1 with cipher AES256-SHA (256/256 bits)
8 TLSv1.1 with cipher AES128-SHA (128/128 bits)
7 TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
7 TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA (128/128 bits)
7 TLSv1.1 with cipher DHE-RSA-AES128-SHA (128/128 bits)
7 TLSv1.1 with cipher CAMELLIA256-SHA (256/256 bits)
7 TLSv1.1 with cipher CAMELLIA128-SHA (128/128 bits)
4 TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA (112/168 bits)
2 TLSv1.2 with cipher DES-CBC3-SHA (112/168 bits)
1 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
> If not, then perhaps disabling TLSv1 will be harmless, but if you do,
> perhaps prod the senders to upgrade first, before you prevent them
> from establishing TLS connections to your MTA.
internet.nl says TLS 1.1 should be phased out and criticises this.
It also critcises the key exchange paramert DH-4096 as insufficient
I just created that key and made it available with
smtpd_tls_dh1024_param_file = ${config_directory}/dh_4096.pem
Ok, thank you very much! Competent as always. I'll keep TLSv1 enabled
for now.
--
Regards
Andreas
